Lucene search
+L

3005 matches found

nuclei
nuclei
added yesterday113 views

WordPress Hero Maps Premium <=2.2.1 - Cross-Site Scripting

WordPress Hero Maps Premium plugin 2.2.1 and prior contains an unauthenticated reflected cross-site scripting vulnerability via the views/dashboard/index.php p parameter. id: CVE-2019-19134 info: name: WordPress Hero Maps Premium =2.2.2 or apply the vendor-provided patch to fix the XSS...

6.1CVSS6.4AI score0.05651EPSS
Exploits2References5
nuclei
nuclei
added yesterday14 views

WordPress ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'armdirectorypagingaction' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of...

7.5CVSS6.1AI score0.01383EPSS
Exploits1References4
nuclei
nuclei
added yesterday16 views

Premium Addons for Elementor - Unauthenticated Information Disclosure

Premium Addons for Elementor plugin for WordPress version 4.11.53 and below contains an unauthenticated information disclosure vulnerability.The vulnerability exists due to a missing authorization check in the gettemplatecontent AJAX handler, allowing unauthenticated attackers to retrieve private...

5.3CVSS6.1AI score0.00715EPSS
Exploits0References4
nuclei
nuclei
added yesterday42 views

GP Premium <= 2.4.0 - Cross-Site Scripting

The GP Premium plugin for WordPress up to 2.4.0 is vulnerable to reflected XSS via the 'message' parameter in inc/verify.php lines 95-101, where a message passed with slactivation=false is URL-decoded and used unsanitized in addsettingserror, allowing XSS payloads to be reflected in admin notices...

6.1CVSS6AI score0.00637EPSS
Exploits0References2
nvd
nvd
added 5 days ago7 views

CVE-2026-12141

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premiumtooltiptext' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes i...

4.9CVSS0.00193EPSS
Exploits0References5
cvelist
cvelist
added 5 days ago34 views

CVE-2026-12141 Premium Addons for Elementor <= 4.11.84 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'premium_tooltip_text' Parameter

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premiumtooltiptext' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes i...

4.9CVSS0.00193EPSS
Exploits0References5
cve
cve
added 5 days ago18 views

CVE-2026-12141

The CVE-2026-12141 entry describes a Stored Cross-Site Scripting vulnerability in the Premium Addons for Elementor – Powerful Elementor Templates & Widgets WordPress plugin. Affected component: the premium_tooltip_text parameter; impact arises from insufficient input sanitization and output escap...

4.9CVSS6.2AI score0.00193EPSS
Exploits0References5
euvd
euvd
added 5 days ago6 views

EUVD-2026-43142

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premiumtooltiptext' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes i...

4.9CVSS6.2AI score0.00193EPSS
Exploits0References5
nvd
nvd
added 2026/07/09 10:16 a.m.17 views

CVE-2026-15158

The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the saveattachments function. This is due to the Custom Fonts extension registering a wpcheckfiletypeandext filter that approves any filename containing .woff2 or .tt...

9.8CVSS0.00995EPSS
Exploits0References3
euvd
euvd
added 2026/07/09 8:31 a.m.7 views

EUVD-2026-42549

The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the saveattachments function. This is due to the Custom Fonts extension registering a wpcheckfiletypeandext filter that approves any filename containing .woff2 or .tt...

9.8CVSS6.6AI score0.00995EPSS
Exploits0References3
cve
cve
added 2026/07/09 8:31 a.m.20 views

CVE-2026-15158

Blocksy Companion

9.8CVSS6.6AI score0.00995EPSS
Exploits0References3
attackerkb
attackerkb
added 2026/07/09 8:31 a.m.8 views

CVE-2026-15158

The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the saveattachments function. This is due to the Custom Fonts extension registering a wpcheckfiletypeandext filter that approves any filename containing .woff2 or .tt...

9.8CVSS6.6AI score0.00995EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/07/09 12:0 a.m.8 views

PT-2026-56760

Name of the Vulnerable Software and Affected Versions Blocksy Companion versions prior to 2.1.47 Description The Blocksy Companion plugin for WordPress allows unauthenticated arbitrary file upload through the save attachments function. The issue occurs because the Custom Fonts extension uses a wp...

9.8CVSS6.3AI score0.00995EPSS
Exploits0References8
nvd
nvd
added 2026/07/06 8:16 a.m.9 views

CVE-2026-11962

The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and...

8.8CVSS0.00435EPSS
Exploits0References1
nvd
nvd
added 2026/07/02 12:17 p.m.6 views

CVE-2026-57353

Subscriber Broken Access Control in Link Whisper Premium = 2.9.0 versions...

6.5CVSS0.00299EPSS
Exploits0References1
nvd
nvd
added 2026/07/02 12:16 p.m.6 views

CVE-2026-27060

Contributor PHP Object Injection in ARMember Premium = 7.0 versions...

8.8CVSS0.00288EPSS
Exploits0References1
cve
cve
added 2026/07/02 11:15 a.m.14 views

CVE-2026-57750

The CVE-2026-57750 entry concerns the WordPress plugin ez Form Calculator Premium (versions up to and including 2.14.1.2). The vulnerability is described as Unauthenticated Broken Access Control , implying that unauthenticated users can access or manipulate resources they should not be able to. T...

5.3CVSS5.8AI score0.00184EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/07/02 11:15 a.m.10 views

CVE-2026-57750

Unauthenticated Broken Access Control in ez Form Calculator Premium = 2.14.1.2 versions...

5.3CVSS5.8AI score0.00184EPSS
Exploits0References2
cve
cve
added 2026/07/02 11:15 a.m.17 views

CVE-2026-57353

The CVE concerns WordPress Link Whisper Premium plugin &lt;= 2.9.0 with a Broken Access Control issue. The accompanying CVSS data (Patchstack, v3.1) indicates an external attack over network, with low privileges and no user interaction, potentially affecting integrity (I: High) while confidential...

6.5CVSS5.8AI score0.00299EPSS
Exploits0References1
cvelist
cvelist
added 2026/07/02 11:14 a.m.37 views

CVE-2026-27060 WordPress ARMember Premium plugin <= 7.0 - PHP Object Injection vulnerability

Contributor PHP Object Injection in ARMember Premium = 7.0 versions...

8.8CVSS0.00288EPSS
Exploits0References1
Rows per page
Query Builder